Most RIAs and broker-dealers believe their annual privacy notice satisfies the SEC’s privacy requirements. It doesn’t. 

The 2024 amendments to Regulation S-P significantly expand what firms must do to protect client data, supervise vendors, document safeguards, and prepare for breach notification. Beginning December 3, 2025 for large firms and June 3, 2026 for small firms, examiners will expect evidence — not assumptions — that your program is active, tested, and audit-ready. 

If you hesitated when asked whether your privacy policy fully protects your firm, your supervised persons, and your clients… you’re not alone. Most firms have gaps they don’t realize exist. 

Below are the five most common gaps that could cause an RIA or broker-dealer to fall short during a Regulation S-P exam — and how to fix them now.

Summary: The 5 Biggest Regulation S-P Gaps 

• No written or tested incident response plan 

• Weak or missing vendor oversight requirements 

• Slow or undocumented breach notification workflow 

• Outdated or incomplete Safeguards and Disposal Policies 

• No evidence pack or compliance documentation trail 

Gap 1: No Incident Response Plan (Regulation S-P Incident Response Requirements) 

A privacy policy without a documented incident response plan (IRP) leaves your firm exposed. 

Under the amended rule, every financial institution must maintain written, role-based procedures for: 

• Detecting incidents 

• Containing threats 

• Investigating unauthorized access 

• Recovering systems and data 

• Notifying affected clients 

Firms must also test their incident response plan annually and retain written records. Without this, even a simple phishing attack or vendor breach can become a regulatory event. 

Action Steps: 

• Create a detailed, role-based incident response plan 

• Test the plan annually through tabletop exercises 

• Keep logs of every test — the SEC will request them 

Gap 2: Weak Vendor Oversight (Service Provider Oversight Requirements) 

Even strong internal security controls fail if third-party vendors don’t meet the same standard. 

Regulation S-P now requires RIAs and broker-dealers to maintain service provider oversight, including: 

• Verifying that vendors apply appropriate data protections 

• Ensuring vendor contracts include a 72-hour breach notification requirement 

• Maintaining documented due diligence, reviews, and risk assessments 

This is one of the top areas where firms fail exams — especially smaller firms using multiple SaaS and IT providers. 

Action Steps: 

• Review all vendor contracts for data protection and breach notice clauses 

• Confirm 72-hour breach notifications are included 

• Document due diligence, cybersecurity reviews, and vendor risk assessments 

Gap 3: Breach Notification Lag (30-Day Notification Rule) 

Under the updated rule, firms must notify affected clients within 30 days when sensitive information is (or is likely to have been) compromised. 

This requires: 

• Pre-approved communications 

• Clear internal approval workflows 

• Documentation of every step from incident discovery to delivery 

Firms that try to “figure it out later” often fail the 30-day window due to slow internal coordination. 

Action Steps: 

• Build pre-approved breach notification templates 

• Define who drafts, reviews, and approves notices 

• Map out the entire communication workflow 

Gap 4: Outdated Safeguards Policies (Administrative, Technical & Physical Controls) 

Many firms rely on privacy or safeguards policies written years ago — long before modern cyber threats, cloud systems, and distributed work environments. 

Regulation S-P now expects firms to maintain current and evidence-backed Safeguards Policies, including: 

• Access controls and MFA 

• Encryption of data in transit and at rest 

• Secure disposal processes 

• System monitoring and detection 

• Data mapping and lifecycle management 

If your written policy doesn’t match your real-world practices, it will fail an exam. 

Action Steps: 

• Review your entire data security framework 

• Map where client and firm data resides and how it flows 

• Update written Safeguards and Disposal Policies to reflect actual controls 

Gap 5: Missing Evidence Pack (Documentation Requirements) 

When examiners review your Regulation S-P program, “we have a policy” is not enough. 

Firms must produce a ready-to-share evidence pack, including: 

• Version-controlled privacy, safeguards, and incident response policies 

• Vendor contracts with breach notification language 

• Incident response test logs 

• Training attendance records 

• Breach simulation results 

• Documentation of all reviews and updates 

A firm that maintains a complete evidence pack passes examinations more smoothly and signals strong governance to clients. 

Action Steps: 

• Build a centralized, version-controlled compliance folder 

• Keep all policy updates, reviews, and test results 

• Maintain evidence of training and vendor oversight 

What Regulation S-P–Ready Firms Have in Place 

A compliant, examination-ready RIA or broker-dealer has: 

• A tested incident response plan with a documented 30-day notification workflow 

• Vendor oversight procedures with breach notice clauses 

• Updated safeguards and disposal policies aligned with real operations 

• A version-controlled evidence pack 

• Training for all employees who handle client data 

Final Thoughts 

Your privacy policy should be more than a regulatory checkbox—it should be a shield that protects your clients, your supervised persons, and your firm’s reputation. 

If your policy lacks vendor oversight, incident response procedures, or up-to-date safeguards, now is the time to strengthen it — before the 2025/2026 Regulation S-P deadlines. 

Next Steps